Open itssadon opened 1 year ago
The issue is with an incompatibility with DO’s loadBalancer and the way k8s works.
The workaround is:
annotations:
service.beta.kubernetes.io/do-loadbalancer-hostname: "kube.mydomain.com"
Final nginx values file should look similar to the below:
...
service:
type: LoadBalancer
annotations:
# Enable proxy protocol
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
# Specify whether the DigitalOcean Load Balancer should pass encrypted data to backend droplets
service.beta.kubernetes.io/do-loadbalancer-tls-passthrough: "true"
# Specify an annotation pointing to that newly created DNS entry
service.beta.kubernetes.io/do-loadbalancer-hostname: "kube.mydomain.com" # <--- here
More info here
Bug Report
Describe the bug
When requesting ACME certificates, cert-manager created
Order
andChallenges
to complete the request. However, the certificate was not issued because there was a self check failure.Affected Components
Challenge
Expected Behavior
Actual Behavior
From troubleshooting the certificate request all the way to the challenge, the status shows that the challenge has been presented using the HTTP-01 solver successfully and now cert-manager is waiting for the 'self check' to pass. According to the troubleshooting docs, both HTTP01 and DNS01 go through a "self-check" first before cert-manager presents the challenge to the ACME provider. This is done not to overload the ACME provider with failed challenges due to DNS or loadbalancer propagations.
Steps to Reproduce
Follow guide to add Ingress to cluster as found here
Additional context